On Fri, 2025-01-31 at 17:13 -0800, Sean Christopherson wrote: > Reject userspace attempts to set the Xen hypercall page MSR to an index > outside of the "standard" virtualization range [0x40000000, 0x4fffffff], > as KVM is not equipped to handle collisions with real MSRs, e.g. KVM > doesn't update MSR interception, conflicts with VMCS/VMCB fields, special > case writes in KVM, etc. > > Allowing userspace to redirect any MSR write can also be used to attack > the kernel, as kvm_xen_write_hypercall_page() takes multiple locks and > writes to guest memory. E.g. if userspace sets the MSR to MSR_IA32_XSS, > KVM's write to MSR_IA32_XSS during vCPU creation will trigger an SRCU > violation due to writing guest memory: > > ============================= > WARNING: suspicious RCU usage > 6.13.0-rc3 > ----------------------------- > include/linux/kvm_host.h:1046 suspicious rcu_dereference_check() usage! > > stack backtrace: > CPU: 6 UID: 1000 PID: 1101 Comm: repro Not tainted 6.13.0-rc3 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > Call Trace: > <TASK> > dump_stack_lvl+0x7f/0x90 > lockdep_rcu_suspicious+0x176/0x1c0 > kvm_vcpu_gfn_to_memslot+0x259/0x280 > kvm_vcpu_write_guest+0x3a/0xa0 > kvm_xen_write_hypercall_page+0x268/0x300 > kvm_set_msr_common+0xc44/0x1940 > vmx_set_msr+0x9db/0x1fc0 > kvm_vcpu_reset+0x857/0xb50 > kvm_arch_vcpu_create+0x37e/0x4d0 > kvm_vm_ioctl+0x669/0x2100 > __x64_sys_ioctl+0xc1/0xf0 > do_syscall_64+0xc5/0x210 > entry_SYSCALL_64_after_hwframe+0x4b/0x53 > RIP: 0033:0x7feda371b539 > > While the MSR index isn't strictly ABI, i.e. can theoretically float to > any value, in practice no known VMM sets the MSR index to anything other > than 0x40000000 or 0x40000200. > > Reported-by: syzbot+cdeaeec70992eca2d920@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://lore.kernel.org/all/679258d4.050a0220.2eae65.000a.GAE@xxxxxxxxxx > Cc: Joao Martins <joao.m.martins@xxxxxxxxxx> > Cc: Paul Durrant <paul@xxxxxxx> > Cc: David Woodhouse <dwmw@xxxxxxxxxxxx> > Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx> With macros for the magic numbers as discussed (and a corresponding update to the documentation), and with the Reported-by: and Closes: tags dropped because they should move to the commit which makes the hypercall page only trigger for !host_initiated writes and resolves it in a more future-proof way for the general case, Reviewed-by: David Woodhouse <dwmw@xxxxxxxxxxxx>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
